From owner-freebsd-questions  Thu Aug 14 14:39:12 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id OAA14969
          for questions-outgoing; Thu, 14 Aug 1997 14:39:12 -0700 (PDT)
Received: from iconz.co.nz (iconz.co.nz [202.14.100.2])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id OAA14958
          for <freebsd-questions@FreeBSD.ORG>; Thu, 14 Aug 1997 14:39:00 -0700 (PDT)
Received: from news.iconz.co.nz (status.gen.nz [202.14.100.1]) by iconz.co.nz (8.6.12/8.6.10) with ESMTP id JAA22436; Fri, 15 Aug 1997 09:38:50 +1200
Received: (from uucp@localhost)
          by news.iconz.co.nz (8.8.5/8.8.5) with UUCP
	  id JAA00653; Fri, 15 Aug 1997 09:38:48 +1200
Received: from tui.pinnacle.co.nz (tui.pinnacle.co.nz [202.37.163.3])
	by kakapo.pinnacle.co.nz (8.8.7/8.8.7) with ESMTP id JAA02327;
	Fri, 15 Aug 1997 09:26:08 +1200 (NZST)
Received: from localhost (jonc@localhost)
	by tui.pinnacle.co.nz (8.8.7/8.8.7) with SMTP id JAA02421;
	Fri, 15 Aug 1997 09:26:08 +1200 (NZST)
X-Authentication-Warning: tui.pinnacle.co.nz: jonc owned process doing -bs
Date: Fri, 15 Aug 1997 09:26:07 +1200 (NZST)
From: Jonathan Chen <jonc@pinnacle.co.nz>
To: "T. William Wells" <bill@twwells.com>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Please explain why this is a security hole in /etc/daily
In-Reply-To: <5su4jm$91l@twwells.com>
Message-ID: <Pine.SGI.3.95.970815091813.2384A-100000@tui.pinnacle.co.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 14 Aug 1997, T. William Wells wrote:

> Filenames may have newlines in them. Create, in /tmp,
> /tmp/fuckyou\n/etc/master.passwd
> 
> (\n representing a newline character); find prints
> 
> /tmp/fuckyou
> /etc/master.passwd
> 
> on two separate lines. The xargs program cheerfully makes two
> arguments to rm for it...and there goes your master.passwd.

A good reason for not using `xargs'. However, the cleanup script uses
`find ... -exec rm -f {} \;' which correctly hands the whole filename,
whitespace and all, as its argument to `rm'.

Still haven't seen anything that would indicate a security issue
as yet.
--
Jonathan Chen                          e-mail : jonc@pinnacle.co.nz
  Pinnacle Software Ltd                Voice  : +64.9.415.4460
  Auckland, New Zealand                Fax    : +64.9.415.4250